A stealthy command line tool to create TCP-over-CDN(http) tunnels that keep your connections cozy and comfortable. Now with public test relay servers!
Join the Discord server for support and discussion: https://discord.gg/7wVKeP88
Also if you like this tool, check out my other project: https://github.com/doxx/doxx.net which is a more advanced VPN based stealth system for avoiding countries and censorship.
DarkFlare is a clever little tool that disguises your TCP traffic as innocent HTTPS requests, letting them pass through corporate firewalls like a VIP at a nightclub. It's like a tunnel, but with more style and less dirt.
It has two parts: a client-side proxy (darkflare-client) that encodes TCP data into HTTPS requests and sends it to a Cloudflare-protected domain, and a server-side proxy (darkflare-server) that decodes the requests and forwards the data to a local service (like SSH on port 22). It’s protocol-agnostic, secure, and uses Cloudflare's encrypted infrastructure, making it stealthy and scalable for accessing internal resources or bypassing network restrictions.
When using this remember the traffic over the tunnel is only as secure as the Cloudflare protection. Use your own encryption.
Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront are not only widely accessible but also integral to the global internet infrastructure. In regions with restrictive networks, alternatives such as CDNetworks in Russia, ArvanCloud in Iran, or ChinaCache in China may serve as viable proxies. These CDNs support millions of websites across critical sectors, including government and healthcare, making them indispensable. Blocking them risks significant collateral damage, which inadvertently makes them reliable pathways for bypassing restrictions.
Internet censorship is a significant issue in many countries, where governments restrict access to information by blocking websites and services. For instance, China employs the "Great Firewall" to block platforms like Facebook and Twitter, while Iran restricts access to social media and messaging apps. In Russia, authorities have intensified efforts to control information flow by blocking virtual private networks (VPNs) and other tools that citizens use to bypass censorship.
AP NEWS In such environments, a tool that tunnels TCP traffic over HTTP(S) through a Content Delivery Network (CDN) like Cloudflare can be invaluable. By disguising restricted traffic as regular web traffic, this method can effectively circumvent censorship measures, granting users access to blocked content and preserving the free flow of information.
FIREWALL/CENSORSHIP
| | | |
v v v v
[Client]──────┐ ┌──────────────────┐ ┌─────────[Target Service]
│ │ │ │ (e.g., SSH Server)
│ │ CLOUDFLARE │ │tcp localhost:22
│tcp │ NETWORK │ │
[darkflare │ │ │ │ [darkflare
client]──────┼───HTTPS───────>│ (looks like │─-HTTPS-───────>│ server]
localhost:2222│ │ normal traffic) │ │ :8080
or stdin/out │ │ │ │
└────────────────┼──────────────────┼────────────────┘
│ │
└──────────────────┘
Flow:
1. TCP traffic ──> darkflare-client
2. Wrapped as HTTPS ──> Cloudflare CDN (or any CDN)
3. Forwarded to ──> darkflare-server
4. Unwrapped back to TCP ──> Target Service
In some cases the direct server might fail TLS. If that happens you can use the CDN server or make sure you have the CA certs:
For Debian-based Systems (e.g., Ubuntu)
sudo apt install ca-certificates
For Red Hat-based Systems (e.g., CentOS, Fedora)
sudo yum install ca-certificates
ssh, rdp, or anything tcp to bypass restrictive firewalls or state controled internet.
Tunneling ppp or other vpn services that leverage TCP.
darkflare-server can launch applications like sshd or pppd. Note that there are issues with host keys and certificate validation on sshd if you don't configure it properly.
Linux's popular pppd daemon will also not run as non-root in some cases, which would require a more complex configuration with sudo.
Breaking past blocked sites!
I did provide an ./examples/nordvpn.ovpn for you to use. Also two scrips for up/down to fix some of the routing issues.
Using the OpenVPN commandline client you can embed the username, password, and it runs the scripts properly for you:
& openvpn --config 127.0.0.1.tcp2222.ovpn --script-security 2
Note: OpenVPN by default screws up the default gateway/route. For testing purposes I added: pull-filter ignore "redirect-gateway" to the .ovpn file. That allows me to force the tunnel to not change the routing. The routing can be fixed by the OpenVPN-up.sh and OpenVPN-down.sh scripts. This is due to the fact that the VPN is connecting to the whole CDN range of IP addresses.
Requests are randomized to look like normal web traffic with jpg, php, etc... with random file names.
Client and server headers are set to look like normal web traffic.
If you have other ideas please send them my way.
Add your new proxy hostname into a free Cloudflare account.
Setup your origin rules to send that host to the origin server (darkflare-server) via the proxy port you choose.
darkflare-client-darwin-arm64 - macOS Apple Silicondarkflare-client-darwin-amd64 - macOS Inteldarkflare-client-linux-amd64 - Linux x64darkflare-client-windows-amd64.exe - Windows x64darkflare-server-* - corresponding server binarieschecksums.txt (recommended)chmod +x darkflare-client-* darkflare-server-*
./darkflare-client -l 2222 -t https://cdn.miami.us.doxx.net:443 -d <my ssh server>:22
Or with direct mode:
./darkflare-client -l 2222 -t https://direct.miami.us.doxx.net:443 -d <my ssh server>:22
Add -debug flag for debug mode
If you want to debug and go directly to the psudo server you can use the -allow-direct flag on the server.
You can replace the doxx.net server with your own and setup your own server:
# HTTPS Server (recommended for production)
./darkflare-server -o https://direct.miami.us.doxx.net:443 -c /path/to/cert.pem -k /path/to/key.pem
# HTTP Server (for testing)
./darkflare-server -o http://direct.miami.us.doxx.net:8080 -allow-direct
-allow-direct flag allows direct connections without Cloudflare headers (not recommended for production)-debug) provides verbose logging of connections and data transfersFor HTTPS mode, you'll need to obtain origin certificates from Cloudflare:
Note: Keep your private key secure and never share it. The certificate provided by Cloudflare is specifically for securing the connection between Cloudflare and your origin server.
ssh user@localhost -p 2222
DarkFlare now supports stdin:stdout mode, allowing you to use the client without binding to local ports. This is particularly useful when: - You don't have privileges to bind to local ports - Local firewalls restrict port binding - You want to integrate with SSH's ProxyCommand
The most common use case is with SSH's ProxyCommand. Add to your ~/.ssh/config:
Host my-remote
HostName remote-server.example.com
User myuser
ProxyCommand darkflare-client -l stdin:stdout -t cdn.example.com -d localhost:22
Then simply connect:
ssh my-remote
Or use directly from the command line:
ssh -o ProxyCommand="darkflare-client -l stdin:stdout -t cdn.example.com -d localhost:22" user@remote-server
DarkFlare can create a sophisticated proxy chain when using SSH ProxyCommand mode:
CORPORATE FIREWALL
| | | |
v v v v
[SSH Client] [Optional Proxy] [Cloudflare] [Target]
| | | |
| | | |
| stdin/stdout | HTTPS | TCP |
| =================> | =================> | =================>|
| darkflare-client | CDN Traffic | darkflare-server |
| | | |
| | | |
Flow:
1. SSH ──> darkflare-client (via stdin/stdout)
2. darkflare-client ──> Optional Proxy (SOCKS5/HTTP)
3. Proxy ──> Cloudflare CDN
4. Cloudflare ──> darkflare-server
5. darkflare-server ──> Target SSH Server
-l 2222), which can trigger firewalls-l stdin:stdout to communicate directly with SSHAvoids all local TCP socket issues
bash
ssh -o ProxyCommand="darkflare-client -l stdin:stdout -t cdn.example.com -d localhost:22" user@remote
Optional Proxy Support
-p to specify an outbound proxyOptional authentication supported
bash
# Format: -p scheme://[user:pass@]host:port
-p socks5://proxy.local:1080
-p http://user:pass@proxy.local:3128
Complete Example with Proxy
bash
ssh -o ProxyCommand="darkflare-client -l stdin:stdout -t cdn.example.com -d localhost:22 -p socks5://proxy.local:1080" user@remote
Add to your ~/.ssh/config for persistent configuration:
Host remote-server
HostName remote-server.example.com
User myuser
ProxyCommand darkflare-client -l stdin:stdout \
-t cdn.example.com \
-d localhost:22 \
-p socks5://proxy.local:1080
Then simply:
ssh remote-server
For scenarios requiring fileless operation on Windows systems, DarkFlare provides DLL variants that can be loaded directly into memory:
Location: `
$ claude mcp add darkflare \
-- python -m otcore.mcp_server <graph>